[Cryptography] Dual_EC_DRBG backdoor: a proof of concept

[Krisztián Pintér]

Theodore Ts'o (at Friday, January 3, 2014, 7:01:16 PM):
> Sure, but a prng is not the only tool in the toolbox.  You can also
> try to grab entropy from hardware, and from OS-level events.

i call moving goalposts on this one. it can be the case that we don't
need prngs. we can grab enough unpredictable information from hw
sources that we can just extract all the randomness we need.

but not needing a solution does not make the solution incorrect. there
might be a case when we need it.

basically we have two schools on this, and i don't know where i
belong. one school says that you need true random source. no matter
how whitened or processed, it won't generate more entropy. the other
school says you need 128 bits of unpredictability, and then you can
extract megabytes of randomness with no risk at all. we understand
that there is only 128 bit uncertainty, but it is enough.

you can subscribe to the former school. but then, you don't want
fortuna either, nor any other prng. or you subscribe to the latter
school, but in this case, you have to admit that the quality of the
prng matters. and you also have to agree that bbs delivers some
security properties that for example aes does not.


>> that said, as i heard, dual-ec does not have a security proof. correct
>> me if i'm wrong.

> It has a security proof *if* the primes chosen in an honest fashion.

are you sure of that? because i recall that someone said it is a myth,
it does not have a proof. unlike bbs that indeed has. anyway, i might
be wrong on that, but that is what i heard.